As more and more workloads moving to the cloud , more practices need to be developed. ISACA and CSA launched the CCAK certification for auditors, in this presentation I will elaborate on highlight of auditor knowledge in Cloud.
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
What the auditor need to know about cloud computing
1. Cloud Security
For auditors
Moshe Ferber,
CCSK, CCSP, CCAK
Onlinecloudsec.com
When the winds of change blow, some people
build walls and others build windmills.
- Chinese Proverb
2. #About
Information security professional for over 20 years
Founder, partner and investor at various cyber initiatives and startups
Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT, INFOSEC and more)
Co-hosting the Silverlining podcast – lean about security engineering
Founding committee member for ISC2 CCSP and CSA CCSK, CCAK certification
Member of the board at Macshava Tova – Narrowing societal gaps
Chairman of the Board, Cloud Security Alliance, Israeli Chapter
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule
5. Cloud characteristics:
• Cloud computing characteristics distinguish
cloud from other forms of compute
(i.e. hosting, outsourcing , static virtualization)
• Mostly relevant for certain regulations
7. The Share responsibility model
Physical Security
Network & Data Center
Security
Hypervisors Security
Virtual Machines & OS
security
Data layer & development
platform
Application
Identity Management
DATA
Audit & Monitoring
IaaS PaaS SaaS
Consumer
responsibility
Provider
responsibility
11. Building a cloud strategy: relevant steps
Guidelines
for which
data/app can
migrate
Threats &
Risks to
consider
Identifying
key
Stakeholders
Evaluating
the provider
maturity and
security
controls.
Additional
controls that
should be
implemented
in the
service.
13. Data classification is mandatory
Data that can be
migrated
Data that can not
be migrated
Data that can only
migrate to certain
providers
Data that can only
migrated to
certain jurisdiction
Data that can only
migrated if
encrypted /
anonymized
UK gov data
classification:
• Official
• Secret
• Top secret
Official is allowed
at public cloud
15. Identifying key stakeholders
Internal stakeholder
• IT department
• Business owners
• R&D department
• Legal Department
• GRC Department
• Procurement
department
External Stakeholder
• Integration &
Implementation
partners
• Brokers
• Software
development
companies
• Auditors
• Security consultant
Often internal stakeholder will form sort of Cloud Computing Center of Excellence
16. Stakeholder responsibilities
•Monitor Shadow IT
•Authorized providers list
•Budget management - IaaS/PaaS
•SaaS license management
Procurement
•Building cloud architecture
•Integrating new tools
•Vision and roadmap
Architecture
•Guidelines for compliance program
•Provider screening process
•Specific controls
GRC/CRO
•Automation
•Monitoring
•Security (secdevops)
Operations/devops
19. Hi diversity in the market (specially in SaaS)
• Could you do an audit?
• Should you do an audit?
In many cases you must settle for 3rd party
attestation.
Cloud provider A Cloud provider B
20. Provider evaluation
Is the service
adequate?
How mature is
the provider?
Are the
provider
responsibilities
clear?
Are customer
responsibilities
clear?
Are there
gaps?
21. Provider evaluation – what do I really looking for?
Trust
Accountability
Is the provider
accountable for
his
responsibilities?
Transparency
Is the information
I am receiving
accurate and
actionable?
Assurance
Wil the provider
perform as
planned?
22. Provider evaluation (mostly on SaaS)
Reviewing
security policy
Evaluating the
provider
Evaluating the
service
Evaluating the
supply chain
Analyzing
gaps
Setting special
requirements
Contract
signing
Ongoing
monitoring
23. Tools for provider evaluation
https://cloudsecurityalliance.org/star/registry/
24. SaaS services – security foundation
Encryption
• Encrypting data
at the cloud
provider (who
has the keys)?
Identity
Management
• Who control the
user store?
• Who is
responsible for
authentication?
Governance &
Audit
• Who does
what?
• Suspicious
events
detection
25. IaaS/PaaS – performing security testing
Security assessment
• Usually assessing the
cloud infrastructure
• Require knowledge in
the cloud platform
• Usually made against a
checklist
• Evaluating the security
posture of the
environment
Penetration testing
• Usually cover the
application layer
• Mostly black box
• Require coordination
with the provider
• Assessing the application
resilience
26. Assessing with a security framework
Security framework (non
cloud specific)
• ISO27001
• SOC 2/3
• COBIT
• EU-Sec
Security framework (cloud
specific)
• ISO27017 / 27018 (Cloud
Security & privacy)
• CSA STAR
• BSI C5
• NIST 800-53
• PCI DSS cloud guidelines
• CIS benchmark
Considuration: Cloud Native vs. Migrated to the cloud
27. Contract management
Usually made from 3
parts:
• Agreement
• SLA
• ToS
Usually not negotiable
Must address the
shared responsibility
model
Must address sub-
processors
Cloud specific
• Location of services
• Conflict resolution
• Breach notification
Must address end-of-
service and migration
28. Privacy considerations
Data privacy laws are
turning the world into
privacy islands
Important topics:
• Data residency
• Processor vs. controller roles
• Data subject's rights
• Breach notifications
Check put the CSA Privacy Level Agreement:
https://cloudsecurityalliance.org/research/working-groups/privacy-level-agreement/
29. Summary
The word cloud describes many different types of services, with different
security considerations.
Pick your battles –
• Large mature IaaS/PaaS providers – focus on customer maturity
• SaaS services – Choose your partners wisely
• Practical cloud policy is the place to begin, everything else will follow
Cloud Security Course Schedule can be found at: ty Course
http://www.onlinecloudsec.com/course-schedule
30. KEEP IN TOUCH
Cloud Security Course Schedule can be found at:
http://www.onlinecloudsec.com/course-schedule